Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  KNOCKCF (5)


.knockcf - The knock configuration file


See Also


The port-knocker client knock requires a configuration file named ".knockcf" to be in the user’s home directory. Any value in the file may be overridden by command-line parameters to knock

The file consists of simple keyword-value pairs, one pair per line. The keyword and value must be separated by one or more space or tab characters. Keywords are not case-sensitive, though most values are. Any part of a line following a ’#’ character is ignored, and may be used as a comment. Blank lines are ignored.

The file MUST be readable and writeable ONLY by the owner.


group <name>
  This specifies the group name (guest name) used to identify yourself. Group names may be up to 32 characters in length. Both group names and secrets may contain any alphanumeric character, as well as the characters: !@#$%^&*()_-+=|{};:’"<>,?/

Note that whitespace and the "." character (period, or decimal point) are not permitted.

secret <password>
  This is the password used to authenticate you to the doorman. Secrets may be up to 64 characters in length, and use the same character set as group names. The secret is catenated with the IP address of the client machine and the seconds-of-epoch, and put through an MD5 hash before being sent to the doorman.

This record may be omitted from .knockcf; if it is missing, and the secret is not included as an option on the command line (generally not a bright idea, anyway), ’knock’ will prompt you for one.

port <integer, 1-65534>
  Knock on the specified UDP port. The default is port 1001.
run "program arg1 arg2 ... "
  Run this program after sending the knock packet, and after a 1/10th second pause. Note that the entire command must be enclosed in either single or double quotes. Two special strings may be included to substitute for command-line parameters. %H% substitutes for the hostname or IP address, and %P% substitutes for the requested port number or service name.


# # If any of these records is missing, its value may be # specified with a command-line option. # (You may omit the secret from both, and wait to be prompted; # this is perhaps the safest [or most paranoid] way on a unix host) # group marketeers # "Who you are" to the doorman secret b1g%Hairy_[seCret}! # <- This is why no one else should # be able to read this file... # A PLAINTEXT PASSWORD! # port 1001 # The UDP port the doorman is watching # run "ssh -lmyname %H%" # Run ’ssh’ after knocking. # The hostname used in the knock command # will be subsituted in place of ’%H%’.


knock(1), doormand(8),, guestlist(5)


doormand and knock are an implementation of an original idea by Martin Krzywinski. See his site at


Copyright (c) 2003-2005, J.B.Ward

Search for    or go to Top of page |  Section 5 |  Main Index

Port-knocker, V0.81 .KNOCKCF (5) Aug 14 2005

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.